Both of these allow exploiting signed APKs by replacing the code they contain while maintaining the existing signature valid, leading you to think the original author is someone you trust.
The original Android sources have been corrected to fix both situations, but it might take a while
till stock ROMs include the fixes, if ever.